System and Method for Efficiently Securing Enterprise Data Resources

1. A method of implementing policy based access controls within a role based access control model of a data management system comprising a plurality of data resources, said method comprising: receiving a policy based security definition specifying a set of policy based rules to define a logical partition of the data resources, the logical partition specifying data that is accessible within the data resources; according to the policy based security definition, defining a set of filters as a secure resource, each filter specifying a portion of the data resources available to a user submitting a query, the available portion of the data resources based on a set of user attributes associated with each filter, each filter being parameterized based on the set of user attributes associated with a role of the user submitting the query; storing the secure resource and the set of policy based rules defining the logical partition in a secure repository; by a computer, producing a role based security definition by configuring a role based access control declaration for the secure resource based on at least one particular user role and at least one user attribute, the secure resource for modifying a submitted query for processing, the query being modified based on the set of user attributes associated with each filter, wherein processing the submitted query comprises executing the submitted query with each filter on the data resources; and storing the role based access control declaration in the secure repository.

2. The method of claim 1 , wherein processing the submitted query effectuates the set of policy based rules based on the user role.

3. The method of claim 1 , wherein said receiving, defining, and producing is performed by a security access manager that is integrated with the data management system.

4. The method of claim 3 , wherein the security access manager further performs functionality of a role based security engine that processes the role based security definition to effectuate the set of policy based rules associated with the role based security definition.

5. The method of claim 1 , wherein defining the set of filters comprises using the set of user attributes associated with each filter to define the set of filters.

6. A method comprising: receiving a query from a user requesting access to a plurality of data objects stored within an enterprise; retrieving a policy based security definition from a secure repository, the policy based security definition specifying a set of policy based rules to define a logical partition of the data objects, the logical partition specifying data that is accessible within the data objects; retrieving a secure resource from the secure repository, the secure resource defined by a set of filters, each filter specifying a portion of the data objects available to the user submitting the query, the logical partition of data objects based on a set of attributes associated with each filter, wherein each filter is parameterized based on the set of user attributes associated with a role of the user submitting the query; retrieving a role based access control declaration for the secure resource from the secure repository, the role based access control declaration based on the role of the user submitting the query and the set of user attributes associated with each filter; by a computer, modifying the query to restrict user access to the portion of the data objects based on the secure resource and the set of user attributes associated with each filter; and using the modified query to query the portion of the data objects accessible to the user based on the set of user attributes associated with each filter.

7. The method of claim 6 , wherein retrieving the secure resource comprises identifying at least one data object to associate with the secure resource.

8. The method of claim 6 , wherein said data objects are stored across a plurality of data storages in said enterprise.

9. A method of managing access to data objects in a data management system of an enterprise, the method comprising: defining a set of filters as a secure resource according to a policy based security definition specifying at least one policy based access rule for defining a logical partition of the data objects, the logical partition specifying data that is accessible within the data objects, each filter specifying a portion of the data objects available to a user submitting a query, the logical partition of the data objects based on a set of user attributes associated with each filter, each filter being parameterized based on a role associated with the user submitting the query and the set of user attributes associated with the role of the user submitting the query; storing the secure resource and the policy based access rules for the logical partition in a secure repository; configuring a role based security definition by configuring a role based access control declaration for the secure resource according to at least one particular user role and at least one user attribute; storing the role based access control declaration in the secure repository; by a computer, modifying the user submitted query based on the secure resource and the set of user attributes associated with each filter; and performing the modified user query over the portion of the data objects that are accessible to the user.

10. The method of claim 9 , wherein the set of user attributes for parameterizing the filters is not a user role.

11. The method of claim 9 , wherein defining the set of filters as the secure resource comprises associating at least one secure resource with a set of data attributes associated with the portion of the data objects.

12. The method of claim 9 , wherein configuring the role based security definition further comprises, for the secure resource, configuring a first level of access permissions to the secure resource for a user assigned a first role and configuring a second level of access permissions to the secure resource for a user assigned a second role.

13. The method of claim 9 , wherein modifying the user submitted query further comprises (i) determining whether at least one secure resource is defined for the data objects, (ii) including policy based access rules with the query when a secure resource is defined, and (iii) performing the query over the data objects when a secure resource is not defined.

14. The method of claim 9 , wherein the secure resource comprises data attributes of the data objects.

15. An apparatus comprising: a processor; and a non-volatile memory storing: a first configurable module which when executed by the processor (i) produces a policy based security definition specifying a set of policy based rules to define a logical partition of a set of data resources, the logical partition specifying data that is accessible within the data resources, (ii) defines, according to the policy based security definition, a set of filters as a secure resource, each filter specifying a portion of the data resources available to a user submitting a query, the logical partition of the data resources based on a set of user attributes associated with each filter, each filter being parameterized based on the set of user attributes associated with a role of the user submitting the query, (iii) configures a role based security definition by configuring a role based access control declaration for the secure resource according to at least one particular user role and at least one user attribute, and (iv) stores the secure resource, the set of policy based rules defining the logical partition, and the role based security definition in a secure repository; and a second configurable module, which when executed by the processor, modifies the query submitted against the set of data resources to include the set of user attributes associated with each filter, wherein the modified query is performed against the portion of the data resources available to the user based on the set of user attributes associated with each filter.

16. The apparatus of claim 15 , wherein the modified query is passed to a data management system for execution.